My news stories on Infosecurity Magazine, Friday 2 March:
“ACTA’s harm greatly exceeds its potential benefits…”
Yesterday the Directorate General for External Policies at the European Parliament held a workshop on the The Anti-Counterfeiting Trade Agreement (ACTA).
02 March 2012
Compromised websites leading to banking malware
M86 Security is warning that recent spam campaigns are luring victims to compromised websites that redirect to malicious Phoenix-hosting sites, which in turn seek to infect the visitor with the Cridex trojan.
02 March 2012
The ten most important security events and issues from 2011, and what they presage for the future
Kaspersky Lab’s analysis of the ‘evolution of malware’ during 2011, from the rise of hacktivism to the emergence of Mac malware; and the consequent lessons for the future.
02 March 2012
Last week’s news stories (Jan 30 to Feb 3):
Security researchers break satellite phone encryption
German researchers have cracked 2 satellite phone encryption codes – huge implications.
EU publishes 10 Myths about ACTA
EU says ACTA ain’t bad, just misunderstood.
VeriSign repeatedly hacked in 2010
VeriSign was repeatedly hacked in 2010, and never even told its own senior management.
Science and Technology Committee publishes Malware and Cyber Crime report
Commons committee makes recommendations on how to tackle cybercrime.
New development in post-transaction banking fraud
Banking malware now seeks to divert telephone calls between banks and customers.
Counterclank is not malware, just aggressive adware
Contrary to Symantec’s initial claim, Android’s Counterclank (Apperhand) is not a trojan.
Major UK companies still not blocking porn namesakes
UK companies remain open to cybersquatting by YourBrandName.xxx
New Forrester Report: Big Data Risks
Forrester describes how to secure Big Data.
Resilience is the key to security says World Economic Forum
WEF suggest an holistic view of resilience to risk rather than an isolated view of prevention.
A call for a new standard in infosec training and awareness
We need a new standard to improve security awareness in users.
IE6 users: no longer caught between a rock and a hard place
A new product allows legacy IE6 applications to run in new versions of the browser.
75% of all new malware are trojans
PandaLabs 2011 report is full of facts, figures and information.
Spam and phishing are growing problems: DMARC has the answer
A new standard is being developed to help stop spam and phishing.
CSO Interchange: Cloud concerns are largely propaganda
Misunderstandings about the cloud make it seem a problem rather than an opportunity.
Up to five million Androids infected with Counterclank
Android’s largest ever infection reported by Symantec.
I’m not behind Kelihos botnet, claims Sabelnikov
Man named by Microsoft says I didn’t do it, guv.
Rogueware, which is malware that pretends to be legitimate anti-virus software, is one of the biggest threats we currently face. Inherent in all rogueware is a hidden warning: if you don’t buy our software, you will continue to suffer from viruses and trojans. It’s a short step from the ‘buy our product for your security’ warning, to a ‘buy our product or else’ extortion.
But now the ‘threat as a by-product’ is morphing into pure blackmail: ransomware. It’s been around for a few years, but a recent Kaspersky blog highlights the return of GpCode-like ransomware, which makes no pretence to being legitimate: it encrypts your files and won’t let you have them back unless you pay a ransom.
We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008…
As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive.
With the earlier versions Kaspersky managed, in some cases, to recover the data as well as remove the trojan. This time it’s more difficult. David Emm, senior security researcher at Kaspersky Lab, explained the basis of ransomware, and the difference between the earlier version and this new ransomware; and in particular why this new version is more dangerous.
“The GpCode trojan is one of the main examples of ransomware. It is code used to extort money from people. The way it works is to encrypt files on the computer: documents, presentations, spreadsheets, anything really. It encrypts them and then either pops up a message on the screen, or maybe just writes a text file to the disk, so that when the user notices he cannot access something, then he gets the message. It says something like ‘I’ve encrypted your data, and if you want to get it back, you’ll need to decrypt it; and that means sending me an email message.’ So you send the email message to the address given, and then whoever it is replies, ‘Right, well I can soon fix that and decrypt everything, but it will cost you…’
“The Trojan encrypts your files with 1024-bit RSA and AES 256 cryptography,” he said, both of which are pretty well uncrackable. “In the older versions, the code encrypted the files, and then deleted the originals. We didn’t crack the cryptography, we managed to recover the deleted files. So we could remove the trojan and recover the files. But this new version doesn’t work like that; and we haven’t yet found a way to recover any lost data.”
His advice is unchanged. “Their MO is that they prey on someone who is vulnerable – extortion, online or offline, always works like this – and the vulnerability in this case is that you don’t have a back-up of your data. So if you haven’t got back-up, and you find you cannot access your files, or you get a pop-up message or email telling you that payment of £10, €20, $50 or whatever will get you a decryption method, turn off your computer immediately and contact a reputable anti-virus company.” The more you use your system, the more unlikely it is that any deleted files can be recovered. The old method of recovery doesn’t work with this new ransomware; but the AV and data recovery companies might yet find an alternative solution.
Cure, of course, is never as good as prevention. “It’s the small businesses and home users that are going to suffer,” David explained. “In a medium-sized business or larger, anyone who gets infected can just go to the IT guys, and they’ll rebuild the system and data from the company back-ups. But small businesses and home users often don’t have any backup. And restoring from backup is the only way you can guarantee to get encrypted files back.”
Don’t wait to get caught by ransomware. If you do, it may be too late and your only choice will be to pay the criminals or lose your data. You need to
- behave securely in cyberspace to avoid infection
- and use mainstream anti-virus to minimize infection
- and get adequate backup to recover from infection
- else contact a mainstream anti-virus company in the event of infection.
Do not just rely on the last of these.